You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

I have been having trouble with the Virtumonde virus.I have ran VundoFix and VirtumondeBeGone but with no effect.Can Anybody with a bit more know how than me have a look at this. i have already removed some google toolbar helper and windows live toolber helper files which i know are associated with the virtumonde virus.windows defender is also flagging up the virus but is unable to remove the files.the files that it says are infected do not exists and may be hidden, however AVG rootkit doesnt discover anything.

BC AdBot (Login to Remove)

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tequila_stealerMy name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktopClose any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply.Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.Make sure everything found has a checkmark next to it,then press 'Next'.Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:Click on 'Preferences'.Click on the 'Statistics/Logs' tab.Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.It will then open in your default text editor,such as Notepad.Copy and paste the contents of that report into your next reply.Also post a new Hijackthis log,let me know how your pc is running now.

NoteCopy then paste all logs/reports directly into this topic,not as attachments,thanks.

Thankyou again for your time. I will be making a donation when this problem is gone.

there was no file named cxdgmfbs.ini2 in the System32 folder.

i ran SUPERAntispyware and competed the hijack this stuff.

Windows defender flagged some files and windows defender is unable to remove them.

here is the list of files.

Category:TrojanDescription:This program displays advertisements and may be difficult to remove.Advice:Remove this software immediately.Resources:file:C:\WINDOWS\system32\bfbtbnlf.dllfile:C:\WINDOWS\system32\gomyqjph.dllfile:C:\WINDOWS\system32\hqgboypo.dllfile:C:\WINDOWS\system32\gjnxjoyg.dllfile:C:\WINDOWS\system32\qvycniye.dllfile:C:\WINDOWS\system32\farltdwt.dllfile:C:\WINDOWS\system32\vchiaekd.dllfile:C:\WINDOWS\system32\pymvteyu.dllfile:C:\WINDOWS\system32\pcovkwrd.dllfile:C:\WINDOWS\system32\rctmkrml.dllfile:C:\WINDOWS\system32\tdoprsek.dllfile:C:\WINDOWS\system32\fjcbxgbx.dllfile:C:\WINDOWS\system32\fghfjgxv.dllfile:C:\WINDOWS\system32\ufxwwnru.dllfile:C:\WINDOWS\system32\fnsybtjd.dllfile:C:\WINDOWS\system32\pxduqjql.dllfile:C:\WINDOWS\system32\guaprago.dllfile:C:\WINDOWS\system32\elnyaban.dllfile:C:\WINDOWS\system32\tvthhjuv.dllfile:C:\WINDOWS\system32\upnkuauh.dllfile:C:\WINDOWS\system32\efipxoly.dllfile:C:\WINDOWS\system32\wodowcem.dllfile:C:\WINDOWS\system32\adeiqrxg.dllfile:C:\WINDOWS\system32\efdsaqbl.dllfile:C:\WINDOWS\system32\rqurrcem.dllfile:C:\WINDOWS\system32\npdokkrl.dllfile:C:\WINDOWS\system32\hsybndbi.dllfile:C:\WINDOWS\system32\odsvqmhs.dllfile:C:\WINDOWS\system32\hjrhdjva.dllfile:C:\WINDOWS\system32\ktyenxdo.dllfile:C:\WINDOWS\system32\vqlrtnwp.dllfile:C:\WINDOWS\system32\bmfggudq.dllfile:C:\WINDOWS\system32\phqepcix.dllfile:C:\WINDOWS\system32\huhbsgse.dllfile:C:\WINDOWS\system32\ycygkowm.dllfile:C:\WINDOWS\system32\ortxitcy.dllfile:C:\WINDOWS\system32\cvortfog.dllfile:C:\WINDOWS\system32\nggserew.dllfile:C:\WINDOWS\system32\tyfnycay.dllfile:C:\WINDOWS\system32\cwiaxdjt.dllfile:C:\WINDOWS\system32\qustygja.dll

Adware.Tracking Cookie C:\Documents and Settings\Gemma\Cookies\gemma@bs.serving-sys[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@atdmt[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@advertising[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@media.adrevolver[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@adrevolver[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@cpvfeed[4].txt C:\Documents and Settings\Gemma\Cookies\gemma@tradedoubler[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@ad.uk.tangozebra[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@campaign.indieclick[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.clash-media[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@revsci[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@perf.overture[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@azjmp[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.yourtracking[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@msnportal.112.2o7[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@stats1.reliablestats[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@serving-sys[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@adtech[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@ad.zanox[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.zanox-affiliate[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@questionmarket[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@statcounter[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.cybersexent[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@imrworldwide[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@mediaservices.myspace[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@indiads[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@saletrack.co[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@doubleclick[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.burstnet[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@a.websponsors[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@mediaplex[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@precisionclick[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@nextag[2].txt C:\Documents and Settings\Gemma\Cookies\gemma@amsterdamlivexxx[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@smileymedia[1].txt C:\Documents and Settings\Gemma\Cookies\gemma@www.everyclick[1].txt C:\Documents and Settings\Mike\Cookies\mike@ad.zanox[2].txt C:\Documents and Settings\Mike\Cookies\mike@ad.uk.tangozebra[1].txt C:\Documents and Settings\Mike\Cookies\mike@adserving.cpxinteractive[1].txt C:\Documents and Settings\Mike\Cookies\mike@nextag.co[1].txt C:\Documents and Settings\Mike\Cookies\mike@www.clash-media[2].txt C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[2].txt C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[1].txt C:\Documents and Settings\Mike\Cookies\mike@zbox.zanox[2].txt C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[2].txt C:\Documents and Settings\Mike\Cookies\mike@precisionclick[1].txt C:\Documents and Settings\Mike\Cookies\mike@www.googleadservices[1].txt C:\Documents and Settings\Mike\Cookies\mike@ad.uk.tangozebra[2].txt C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[3].txt C:\Documents and Settings\Mike\Cookies\mike@ad1.emediate[2].txt C:\Documents and Settings\Mike\Cookies\mike@adultfriendfinder[2].txt C:\Documents and Settings\Mike\Cookies\mike@adserving.cpxinteractive[3].txt

Save it to your desktop.Please double-click OTMoveIt.exe to run it.Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\cxdgmfbs.ini2

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.Click the red Moveit! button .

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-----------------------------------------------------------

Double click on combofix.exe again and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply.

Copy and paste the following bold blue text in the Quote box below into Notepad.Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.Then double click on the fix.reg file on your desktopand agree to merge the imformation into the registry,then restart your pc.

Run this online virus/spyware scan using Internet Explorer:Kaspersky WebScannerNext click Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.• The program will launch and then begin downloading the latest definition files: • Once the files have been downloaded click on NEXT • Now click on Scan Settings • In the scan settings make that the following are selected: • Scan using the following Anti-Virus database: • Standard • Scan Options: • Scan Archives• Scan Mail Bases• Click OK • Now under select a target to scan: • Select My Computer • This will start the program and scan your system. • The scan will take a while so be patient and let it run. • Once the scan is complete it will display if your system has been infected. • Now click on the Save as Text button: • Save the file to your desktop. • Copy and paste the contents of that file into your next reply.